News Feature | December 29, 2016

Singaporean Researchers Aiming To Boost RFID Security

By Jof Enriquez
Follow me on Twitter @jofenriq

RFID Tag - Blue

Singaporean scientists are researching various methods to beef up the security capabilities of RFID (radio frequency identification) technologies as these become more ubiquitous.

RFID uses radio waves to automatically identify and track objects with tags containing electronically stored information, up to several feet away and with no direct line-of-sight requirements. It's used in myriad applications – from embedding passport information and tracking materials and goods in supply chain management, to tagging medical devices and drugs, and even localizing cancerous tumors.

Unfortunately, devices embedded with RFID tags can be easily scanned by a nearby RFID reader to reveal their contents, possibly resulting in its use for nefarious purposes.

“A security breach in RFID applications would leak valuable information about physical objects to unauthorised parties,” says Li Yingjiu, associate professor at the Singapore Management University (SMU) School of Information Systems, and an expert on RFID security and privacy, in a news release.

In supply chain management, for example, businesses can lose to hackers "inventory levels, trading volumes, trading partners, and even business plans," he said.

To make hacking of RFID devices more difficult, Professor Li and colleagues have devised a set of dual-mode, two-security-level RFID protocols designed to strengthen the security features of RFID-led supply chain management.

"In the relatively secure environment, our system is set to the weak security mode, and the tagged products can be processed in a highly efficient manner. While in the less secure environment, our system is tuned into the strong security mode so as to maintain a high level of security with its efficiency lower than that in the weak security mode," the researchers write in Achieving High Security and Efficiency in RFID-Tagged Supply Chains, which was published in the International Journal of Applied Cryptography.

Professor Li and his team describe strategies to protect communications between RFID tags and readers, such as making the protocol’s output unpredictable, making two tags indistinguishable to the hacker, and preventing hackers from obtaining useful information even if they manage to interact with the tags. They also designed improved access control mechanisms that protect RFID information when it is shared on the Internet.

Contactless payments and mobile banking transactions can now be carried out through services like Apple Pay and Google Wallet, which rely on NFC (near field communication) technology – a type of RFID technology. The convenience offered by these services comes with the danger of leaking private and sensitive information through malicious code embedded in third-party apps.

Professor Li and colleagues identified a number of attacks using such codes that targeted Apple iPhone users, and Apple later plugged security loopholes based on their findings, detailed in Launching Generic Attacks on iOS with Approved Third-Party Applications, a paper published in the Proceedings of Applied Cryptography and Network Security: 11th International Conference, ACNS 2013.

The group later reported Android framework vulnerabilities and potential attacks to Google, and also developed a set of smartphone vulnerability analysis tools in collaboration with Chinese telecommunications company Huawei.

Working with Professor Robert Deng, also at the SMU School of Information Systems, Professor Li now is developing new solutions for attribute-based encryption – a form of encryption that gives data owners better control over who can access their data. The duo, along with Junzuo Lai and Jian Weng of Jinan University – China, has shared its cybersecurity-themed proposal, titled Fully Secure Key-Policy Attribute-Based Encryption with Constant-Size Ciphertexts and Fast Decryption.

The persistent challenge for these Asian security researchers is bringing their academe-led research to practical use by industry, which is more attuned to market needs. “The future of data security, in my vision, is how to narrow the gap and bridge the two communities, which have completely different incentives and evaluation criteria,” says Professor Li.